IBM QRadar

 View Only
Expand all | Collapse all

API for adding of yara rules

  • 1.  API for adding of yara rules

    Posted Mon September 25, 2023 02:51 AM

    Hi,

    Is there any API for the adding of Yara rules in QRadar?

    Best regards,

    Tan Boon Chang



    ------------------------------
    Boon Chang Tan
    ------------------------------


  • 2.  RE: API for adding of yara rules

    Posted Tue September 26, 2023 08:48 AM

    Hello Boon Chang,

    There is QRadar application called "IBM Security QRadar Manager for YARA and SIGMA Rules" available on X-Force App Exchange. This app allows users to upload YARA rules or import them from GitHub, and to test them against logs, flows, and files.

    Please check it. I hope this application can solve you tasks.



    ------------------------------
    Maksym Tykhenko
    ------------------------------



  • 3.  RE: API for adding of yara rules

    Posted Tue September 26, 2023 09:21 AM

    Hi Maksym,

    Perhaps I did not frame my question clearly.

    I am already using 'IBM Security QRadar Manager for YARA' and am adding YARA rules with it into my QRadar system.

    What I am asking about is whether there is an API available to be used with this YARA Manager, for such scenarios as there being is no internet connection available to connect to Github to import the YARA rules. In this scenario, a separate API which is able to import the YARA rules be it without going through the YARA Manager, or working hand-in-hand with the YARA Manager would be useful.

    Wonder if there is such an API.

    Best regards,

    Tan Boon Chang



    ------------------------------
    Boon Chang Tan
    ------------------------------



  • 4.  RE: API for adding of yara rules

    Posted Tue September 26, 2023 11:04 AM

    Hi Boon Chang,

    YARA rule manager provides you ability to import rules from Github and, in addition to that, you can import from a local file or paste/enter rules directly into a web form. This video provides a short overview https://www.youtube.com/watch?v=_naH1CJfAyU

    Let me know if this helpful. Otherwise, maybe, provide a bit more details of workflow you're facing (what is available/what's not, where do you have your rules available, do you envision some sort of automation or it's ok to provision/covert rules manually via GUI)

    Kind regards,



    ------------------------------
    Maksym Tykhenko
    ------------------------------



  • 5.  RE: API for adding of yara rules

    Posted Tue September 26, 2023 11:20 AM

    Hi Maksym,

    Yes, I am quite familiar with the QRadar YARA Manager as I have been using it for quite a while already.

    And yes, I am envisioning some sort of automation.

    Such that a user does not need to be physically present and manually click the various steps to import the YARA rule (from whichever sources be it from local or from Github). I think I can do this with general automation tools in the market. I am wondering if there is any API provided by QRadar already available to achieve this. For example, a backend folder whereby the imported YARA rules are stored and I can do some automation to import rules to there automatically, or even a API similar to the qradar/api_doc which is able to achieve this.

    Best regards,

    Tan Boon Chang



    ------------------------------
    Boon Chang Tan
    ------------------------------



  • 6.  RE: API for adding of yara rules

    Posted Tue September 26, 2023 04:15 PM

    Hello

    Nice to hear that you have been using the app for a while !

    Unfortunately, there is no mechanism that allows to do that currently. Free free to open an RFE on the Ideas portal and the feasibility will be evaluated.

    Have a good day ! 



    ------------------------------
    Gladys Koskas
    ------------------------------



  • 7.  RE: API for adding of yara rules

    Posted Fri September 29, 2023 05:23 AM

    Hi Gladys,

    Thank you for the reply.

    Would like to know if there is any learning tutorial videos regarding using of QRadar YARA Manager.

    Best regards,

    Tan Boon Chang



    ------------------------------
    Boon Chang Tan
    ------------------------------



  • 8.  RE: API for adding of yara rules

    Posted Fri September 29, 2023 08:45 AM

    From the top of my head:

    1 Here are a couple of videos with short overview:

    2 You can also check other videos from Jose Bravo + his videos contain references to Box folder with extra content.

    3 Additionally, YARA / SIGMA Manager application on App Exchange contains links to blog posts and similar materials that can be helpful.

    Kind regards,



    ------------------------------
    Maksym Tykhenko
    ------------------------------



  • 9.  RE: API for adding of yara rules